Skip to content

added support for certificates and insecure #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cooperspencer wants to merge 2 commits into
base: master
Choose a base branch
from
Open

added support for certificates and insecure #96

cooperspencer wants to merge 2 commits into from

Conversation

@cooperspencer
Copy link

@cooperspencer cooperspencer commented Jun 25, 2024

I added TLS support if squid runs on secure ports and also an option for insecure connections.

dswarbrick
dswarbrick reviewed Jul 3, 2024
View reviewed changes
@dswarbrick
Copy link
Contributor

dswarbrick commented Jul 9, 2024

As I understand it, this PR adds support for client TLS authentication when talking to the Squid manager endpoint, i.e. squid-exporter will communicate securely with Squid and identify itself with a client cert (if configured). Is that correct?

If so, then presumably you would need to configure an ACL on Squid to verify one or more attributes of the client's (i.e., squid-exporter) certificate that it presents in the TLS handshake. Can you perhaps elaborate on your use case?

@cooperspencer
Copy link
Author

cooperspencer commented Jul 10, 2024

I guess this is a misunderstanding. This pull request is not about supporting client certificates, but supporting self signed certificates by adding a custom trust store. This way, the squid exporter can trust the certificate presented by squid without relying on the system trust database.

@dswarbrick
Copy link
Contributor

dswarbrick commented Jul 10, 2024
edited
Loading

Ok, but loading certificates into the Certificates slice of a tls.Config is for presenting to the other side of the connection, i.e.

	// Certificates contains one or more certificate chains to present to the
	// other side of the connection. ...
	Certificates []Certificate

When using the tls.Config for a client (i.e. with tls.Dial()), the Certificates are used to perform TLS client authentication.

Note that you don't have to use the host system's CA bundle.

	// RootCAs defines the set of root certificate authorities
	// that clients use when verifying server certificates.
	// If RootCAs is nil, TLS uses the host's root CA set.
	RootCAs *x509.CertPool

So if you wanted to support (and verify) a self-signed cert being used by Squid, you could simply add that cert to your tls.Config's RootCAs, and it would then be trusted. This avoids the need for squid-exporter to have the private key, and is also more fitting for a typical enterprise PKI scenario, i.e. using an in-house CA root certificate.

There is no reason for the client (i.e. squid-exporter) to present a TLS cert, unless you're trying to implement some kind of mutual TLS - in which case you would likely still want to refer to a custom root CA, used to sign the (distinct) certs on both sides of the connection.

@boynux boynux force-pushed the master branch 4 times, most recently from af487ac to 8f78989 Compare May 3, 2025 12:31
boynux
boynux reviewed May 3, 2025
View reviewed changes
collector/client.go
func (ch *connectionHandlerImpl) connect() (net.Conn, error) {
return net.Dial("tcp", fmt.Sprintf("%s:%d", ch.hostname, ch.port))
if ch.certificate != "" && ch.key != "" {
cert, err := tls.LoadX509KeyPair(ch.certificate, ch.key)
Copy link
Owner

@boynux boynux May 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR, I think this is a good addition. however I'm not sure if squid server supports client certs for this work, does it?

If you meant to support when the cache manager port is behind a secure port as the insecure flag implies then I think the right approach might be what's explained here: https://gist.github.com/denji/12b3a568f092ab951456?permalink_comment_id=1695690#gistcomment-1695690

Please let me know if I misunderstood anything :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boynux boynux boynux left review comments

+1 more reviewer

@dswarbrick dswarbrick dswarbrick left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cooperspencer @dswarbrick @boynux